From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 19 Apr 2017 17:35:42 +0200
Subject: [refpolicy] [PATCH] xserver: fix iceauth_home_t file context
	creation
Message-ID: <1492616142.5407.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch fixes the xserver module so that the hidden .ICEauthority
file is created with the proper context (file transition).

It also optimizes a similar interface used for xauth home files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.if |   33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

--- refpolicy-2.20170204-orig/policy/modules/services/xserver.if	2017-01-29 18:47:23.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/services/xserver.if	2017-04-19 17:07:06.659759701 +0200
@@ -167,6 +167,8 @@ interface(`xserver_role',`
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 
+	xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")
+
 	xserver_read_xkb_libs($2)
 ')
 
@@ -561,13 +563,42 @@ interface(`xserver_domtrans_xauth',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
 interface(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
 		type xauth_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, xauth_home_t, file)
+	userdom_user_home_dir_filetrans($1, xauth_home_t, file, $2)
+')
+
+#######################################
+## <summary>
+##	Create a ICEauthority file in
+##	the user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, iceauth_home_t, file, $2)
 ')
 
 ########################################